Dotting the "i"s in Identity

Monthly Archives: February 2009

For the first time since the introduction of the UK’s Freedom of Information Act, the Justice Secretary has decided to use the ministerial veto option to prevent the publication of Cabinet minutes from 2003. The minutes in question relate to the Cabinet’s discussion of the legality of going to war with Iraq.

The Information Commissioner had already ruled that the minutes should be released; the Government appealed to the Information Tribunal for a review of that decision, and the Information Tribunal rejected their appeal. Interestingly, the Justice Minister had a choice: he could have taken the Information Tribunal’s decision to the High Court – but instead has peremptorily vetoed it, guillotining the legal process.

This will do little to quell the suspicions of those who believe that the minutes would show that the public were misled about the decision to invade Iraq.

The British Computer Society (BCS) has issued a bluntly-worded critique of the data-sharing proposals buried in the Coroners and Justice Bill. Buried in the Bill are clauses which set out powers for any government minister to make an order for the sharing of personal data “in order to secure a relevant policy objective”.

The BCS document notes that these powers are wide-ranging and general, and that the Bill does not set out any corresponding checks and balances to curtail their inappropriate use.

The BCS further notes that the Bill is likely to contravene UK and EU Human Rights legislation, that it undermines the fundamental principles of the Data Protection Act 1998, that it weakens the independence of the incoming Information Commissioner (welcome to your new job, Mr Graham…), and that it will do further damage to the public’s condifence in government’s ability (and willingness) to process personal data with due regard to personal privacy.

The BCS’ position is neither trivial nor new. As David Evans points out in his blog post here, it is based on, among other things, a programme of consultation going back to 2006. The current Information Commissioner, Richard Thomas, expressed his deep concerns at the Bill last year, both in formal statements from his office, and in his keynote speech at the Privacy By Design conference.

It seems clear that, at one level, the intention of clauses 152-154 is simplification. Someone, somewhere must have concluded that the current position on data-sharing is just too complex, and that what is needed is a straightforward clause which cuts through all the nonsense and says “here’s why we want to share this data, it’s obviously sensible for us to do so, let’s get on with it”.

The issue is that, complicated and confusing as it may be, the patchwork of privacy-enhancing legislative measures we have in the UK consists of elements which are there for a reason, and are intended to protect both individuals and the public good. The main effect of introducing a ‘simplfying’ clause which allows ministers to over-ride existing protections is actually to make matters more complicated and more confusing – because these conflicting laws will now have to be played off against one another, both in plans to implement public policy and (with a grinding inevitability) in the national and European courts.

Quite apart from any other consideration, it ought surely to arouse the most lively scepticism when an existing Act (the Data Protection Act) is fundamentally modified by clauses buried deep in a separate bill ostensibly about ‘Coroners and Justice’. Clauses 152-154 deserve to be flushed out of their obscure hiding-place in the Coroners and Justice Bill, and into that sunlight which Justice Louis Brandeis described as “the best disinfectant”.

Incidentally, Justice Brandeis said a couple of other things which bear repeating in this context:

“Electric light [is said to be] the most efficient policeman” – which, given that he said it in 1913, was as accurate a harbinger of the technological surveillance society as one could ask for. Today he would have referred to CCTV, communications interception and automatic numberplate recognition, but the underlying principle is the same.

He also said, though, that “if we desire respect for the law, we must first make the law respectable.” In that regard, clauses 152-154 set a regrettably poor example.

There’s an interesting piece on ZDNet today about Microsoft’s imminent IE8 browser and the “Compatibility List” it includes. The background to this is that, as the article’s author May Jo Foley puts it, most websites are written so that they will work ‘correctly’ with previous, non-standards-based versions of IE. In fudging things so that they would work with IE, apparently a lot of web site creators have ended up with sites which now may not display correctly with IE8.

Foley goes on to make the following Sibylline observation: “I doubt the compatibility experience is going to change much, if at all, between now and the time IE 8 is released. For months, Microsoft has been banging the drum for site owners to update their code — either by adding compatibility tags or redoing sites to take into account the changes in IE 8.”

Well, who can blame the site owners? I have recently had to build two websites of my own, for the first time in a few years. I used standard, opens-source site creation tools provided by my hosting company, and frankly, if IE8 can’t or won’t render the results properly, I have a hard time seeing how that is my problem to fix. I can’t get rid of the mental image of a dog being vigorously wagged by its tail. The situation is, as so often, most elegantly summed up by the late Douglas Adams: “In cases of major discrepancy [it’s] always reality that’s got it wrong”.

Incidentally, there is practically no prospect of my discovering, first-hand, whether or not my site is IE8-compatible or not – so if you find out, please be so kind as to let me know (and I’ll pass the message on to the IE8 folks…).

Foley also says, in a rather uncharacteristic burst of MS-antipathy:

“I’m at the point now — if a site looks weird, is slow or just doesn’t seem to be working right — I simply assume it is IE 8’s fault. […] The bottom line is I’ve come to expect a rocky browsing experience when using IE 8.”

This year, in May, Global Security Solutions will be running its second Identity Management (IDM) and Privacy Conference (Johannesburg, 5th-7th May). Full details are online here, ‘early bird’ registration is still available until the end of this month, and there are combined conference/travel packages available for UK/European attendees.

I will have the pleasure of speaking at the conference, but that isn’t why you should go; GSS have an unusually comprehensive and thorough approach to this area, in that they look at the whole IDM life-cycle (from risk assessment through policy and implementation to governance and audit…), and at IDM’s relevance to the full range of business functions (audit, change/BPM, compliance, HR/provisioning and so on). This year, privacy is s strong theme – as, of course, is the question of how to manage identity and privacy risk effectively when resources are being squeezed.

This conference comes at a time when GSS is expanding its operations into the Northern hemisphere, with a new office in the UK. It’s an exciting time for them, and I’m sure that excitement will rub off on this year’s conference – it should be great fun, and I hope some of you can make it…

There’s news today that David Mills, tax lawyer and estranged husband of Tessa Jowell MP, has been found guilty of accepting a bribe, allegedly paid by Italian Prime Minister Silvio Berlusconi. Mills, who was sentenced to 4 1/2 years’ imprisonment, was not in court and is expected to appeal against the judgement.

If this rings a bell, it may be because the bribe surfaced in 2006 as part of the “Jowellgate” scandal. If you recall, a few weeks after Mr Mills received these funds, he and his then wife happened to pay off a £408,000 mortgage. Mr Mills has variously confirmed and denied that the money in question came from Mr Berlusconi.

During the investigation into whether Ms Jowell had broken the rules of the Ministerial Code of Conduct at the time, she said that her husband had received a sum of money “which he thought he had reasonable grounds to believe was a gift”. A phrase so circuitous that it alone ought to give one reasonable grounds to believe that some wool is being spun.

Apparently Mr Mills did not mention the gift to his wife (who was a co-signatory on the mortgage), and she therefore did not know to declare it under the Code of Conduct. Both the Cabinet Secretary, Gus O’Donnell, and the then Prime Minister Tony Blair, concluded that Ms Jowell had done nothing wrong.

Ms Jowell is currently the government’s Paymaster General and is Minister for the 2012 Olympics, a project whose budget is about £9.3bn.

The debate on privacy has matured to the extent where it is increasingly (though not universally) appreciated that privacy and security are not the same goals or the same disciplines. However, occasionally something crops up which reveals that the concept of privacy is still a slippery one, treated very differently in different cultural and legislative contexts.

The case of Max Mosley is an illustrative one. Max (who is the head of the FIA – the international governing body of motorsport) is currently suing a number of media organisations in various European countries, because they alleged that he had taken part in a Nazi-themed sado-masochistic session with a number of prostitutes. Last year he succeeded in convincing a court that the sado-masochistic orgy in which he had been involved in had had no Nazi theme – and he was awarded £60,000 on the basis that his privacy had been breached by the publications. The ‘Nazi’ allegations may have struck a particularly sensitive nerve as Max is the son of the late Sir Oswald Mosley, leader of the UK’s fascists in the years before the second World War; presumably that’s also why the media thought it might sell more papers.

Max’ position, as I understand it, is that as long as an individual’s private activities are irrelevant to the activities of their public persona, there is seldom if ever a public interest argument in favour of publishing them, to the detriment of the individual’s privacy.

There are two problems with this superficially plausible argument.

Both are very well put here by Ian Hislop, editor of the satirical magazine Private Eye, which has been around for as long as I have, and has carved a niche for itself by exposing the differences between the actual and claimed behaviour of our public figures. He’s well qualified to have a view, incidentally; as the Wikipedia entry for “Private Eye” notes, he’s the most sued man in Britain.

The first problem, then, is that there will always be a legitimate judgement as to whether the individual’s private activities are, indeed, irrelevant to their public responsibilities. In Max’ case, for example, as the head of a multi-billion pound industry, he is often involved in adjudications over whether other motorsport figures have behaved honourably, ethically, and/or in compliance with the sport’s rules. That seems to me to call for a degree of personal integrity rooted in the individual’s behaviour, both private and public. As Ian Hislop puts it:

“I don’t think we’re yet at the point where we have a Mosley-style consensus that all forms of sexual activity, including paid prostitution, are acceptable behaviour in your private life.

“I think a lot of actions head into a grey area, where they help you assess character in those who are either in public office or who have official duties to perform.”

The second concerns the way in which this principle is already being put into practice in UK law. There have been a number of cases in which individuals have not only sought the suppression of material which a journalist intended to publish, but have gone further and sought injunctions against mentioning the fact that they have sought injunctions against publication. (If that has made your eyeballs spin, think of it this way: “Not only are you not allowed to say that I molest dormice, but you are not allowed to say that you have been forbidden to publish someting about me”).

That seems to me to be entirely a step too far. Even if we accept that publishing allegations about me and dormice would violate my privacy, I find it hard to give the same weight to mentioning the fact of the allegations without mentioning their substance.

The picture it sketches is of a media organisation which – perhaps repeatedly – threatens false allegations against an individual, complies with the injunction against publication, and then publishes articles to the effect that “Mr Volestrangler has repeatedly sought injunctions against this publication, and we can’t say what they were for, but as we all know, there’s no smoke without fire… nudge nudge”.

The question is, does that happen? And if so, does it happen frequently enough and with such damaging consequences that it justifies restricting the media in the way Max is pressing for?
Frankly, I doubt it. I’m sure there are many ways in which the UK’s privacy laws could be improved, but this isn’t one of them.

Post navigation

Please note:

This blog contains a mixture of "personal" and "work-related" posts, if you choose to make that distinction. None of the opinions expressed should be taken to represent either the views or policies of my employer.